Question Why is postfix running as root?

[Maximilian Füsslin]

Hello,

I saw in master.cf file, that plesk configured postfix to run as root.

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
cleanup   unix  n       -       y       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}


plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
pickup fifo n - - 60 1 pickup
qmgr fifo n - n 1 1 qmgr
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db

plesk-94.130.34.42-2a01-4f8-10b-1f55--2 unix - n n - - smtp -o smtp_bind_address=94.130.34.42 -o smtp_bind_address6=2a01:4f8:10b:1f55::2 -o smtp_address_preference=ipv4

plesk-94.130.34.42- unix - n n - - smtp -o smtp_bind_address=94.130.34.42 -o smtp_bind_address6= -o smtp_address_preference=ipv4

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Look for the lines:

plesk-94.130.34.42-2a01-4f8-10b-1f55--2 unix - n n - - smtp -o smtp_bind_address=94.130.34.42 -o smtp_bind_address6=2a01:4f8:10b:1f55::2 -o smtp_address_preference=ipv4

plesk-94.130.34.42- unix - n n - - smtp -o smtp_bind_address=94.130.34.42 -o smtp_bind_address6= -o smtp_address_preference=ipv4

name      type   private  unpriv chroot wakeup  maxproc command
plesk-..  unix   -        n      n      -       -       smtp -o ..

The unpriv=n part tells postfix to run as root (and not under the postfix user!). Why does PLESK configure postfix to run as root? Which services does need that extended privileges? Can I safely change unpriv=n to unpriv=y to let postfix run under unix user postfix instead of root and thus more safely?

 

[IgorG]

Why does PLESK configure postfix to run as root? Which services does need that extended privileges?

Because it is the master process, and this is necessary for binding to ports < 1024 at least.
You can try to set up more secure permissions but note that we do not test and support it.

 

[Maximilian Füsslin]

Thank you for your answer.
Ok I understand that master process must be running as root because of port bindings. But what about the spawning-processes (postfix does spawn new process if mails get send out, which should run as user postfix).
I try to secure my server, especially the mail delivery (because I had spam issues in the past). So I want only postfix to be allowed to send mails through destination port 25.
Iptables:

iptables -A OUTPUT -m owner --uid-owner postfix -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

But with this rule no more emails can be send. Therefore postfix does not run under the "postfix" user as it is recommended by the postfix manual.
If I use however:

iptables -A OUTPUT -m owner --uid-owner root -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

Emails can be delivered. So my conclusion is that the whole postfix stuff is running as root (not only the master process).
Is that right?

 

[IgorG]

Is that right?

No. Spawning processes run with lower privileges.

 

[Maximilian Füsslin]

Ok. Thank you for clarification. But then there is the question why the iptables rule does prevent email sending. Because if the spawning processes run under the user postfix the iptables rule should work and let traffic pass through...
Can you help me with an iptables rule which only allows postfix to send emails though port 25?
Thank you.

 

[IgorG]

Why don't you just use the Outgoing Mail Control Plesk feature?

 

[Maximilian Füsslin]

Because I thought that maybe some other non-PLESK services / programs can (mis-)use postfix to send spam f.e.
I enabled Outgoing Mail Control-Feature already in PLESK limiting email sending to 300 for my domain (and disallow sendmail).